Accepting request 630992 from home:vitezslav_cizek:branches:security:tls

- Update to 3.6.3
  Fixes security issues:
  CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790
  (bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002)
  Other Changes:
  ** libgnutls: Introduced support for draft-ietf-tls-tls13-28
  ** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
     earlier and TLS 1.3.
  ** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
  ** Provide a uniform cipher list across supported TLS protocols
  ** The SSL 3.0 protocol is disabled on compile-time by default.
  ** libgnutls: Introduced function to switch the current FIPS140-2 operational
     mode
  ** libgnutls: Introduced low-level function to assist applications attempting client
     hello extension parsing, prior to GnuTLS' parsing of the message.
  ** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
     modifications to the certificate.
  ** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
     which are preferred by the server.
  ** Improved counter-measures for TLS CBC record padding.
     ** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
     of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
  ** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
     GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
  ** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
     gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
     unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
     change for these functions which make them err towards safety.
  ** libgnutls: improved aarch64 cpu features detection by using getauxval().
  ** certtool: It is now possible to specify certificate and serial CRL numbers greater

OBS-URL: https://build.opensuse.org/request/show/630992
OBS-URL: https://build.opensuse.org/package/show/security:tls/gnutls?expand=0&rev=4
This commit is contained in:
Tomáš Chvátal 2018-08-23 07:10:46 +00:00 committed by Git OBS Bridge
parent 31a755e11b
commit a081367f85
6 changed files with 44 additions and 7 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:bcd5db7b234e02267f36b5d13cf5214baac232b7056a506252b7574ea7738d1f
size 8093304

Binary file not shown.

3
gnutls-3.6.3.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ed642b66a4ecf4851ab2d809cd1475c297b6201d8e8bd14b4d1c08b53ffca993
size 8010284

BIN
gnutls-3.6.3.tar.xz.sig Normal file

Binary file not shown.

View File

@ -1,3 +1,40 @@
-------------------------------------------------------------------
Wed Aug 22 15:40:33 UTC 2018 - vcizek@suse.com
- Update to 3.6.3
Fixes security issues:
CVE-2018-10846, CVE-2018-10845, CVE-2018-10844, CVE-2017-10790
(bsc#1105437, bsc#1105460, bsc#1105459, bsc#1047002)
Other Changes:
** libgnutls: Introduced support for draft-ietf-tls-tls13-28
** libgnutls: Apply compatibility settings for existing applications running with TLS1.2 or
earlier and TLS 1.3.
** Added support for Russian Public Key Infrastructure according to RFCs 4491/4357/7836.
** Provide a uniform cipher list across supported TLS protocols
** The SSL 3.0 protocol is disabled on compile-time by default.
** libgnutls: Introduced function to switch the current FIPS140-2 operational
mode
** libgnutls: Introduced low-level function to assist applications attempting client
hello extension parsing, prior to GnuTLS' parsing of the message.
** libgnutls: When exporting an X.509 certificate avoid re-encoding if there are no
modifications to the certificate.
** libgnutls: on group exchange honor the %SERVER_PRECEDENCE and select the groups
which are preferred by the server.
** Improved counter-measures for TLS CBC record padding.
** Introduced the %FORCE_ETM priority string option. This option prevents the negotiation
of legacy CBC ciphersuites unless encrypt-then-mac is negotiated.
** libgnutls: gnutls_privkey_import_ext4() was enhanced with the
GNUTLS_PRIVKEY_INFO_PK_ALGO_BITS flag.
** libgnutls: gnutls_pkcs11_copy_secret_key, gnutls_pkcs11_copy_x509_privkey2,
gnutls_pkcs11_privkey_generate3 will mark objects as sensitive by default
unless GNUTLS_PKCS11_OBJ_FLAG_MARK_NOT_SENSITIVE is specified. This is an API
change for these functions which make them err towards safety.
** libgnutls: improved aarch64 cpu features detection by using getauxval().
** certtool: It is now possible to specify certificate and serial CRL numbers greater
than 2**63-2 as a hex-encoded string both when prompted and in a template file.
Default certificate serial numbers are now fully random.
- don't run autoreconf to avoid pulling in gtk-doc
-------------------------------------------------------------------
Tue Jul 31 10:04:17 UTC 2018 - schwab@suse.de

View File

@ -29,7 +29,7 @@
%bcond_with tpm
%bcond_without guile
Name: gnutls
Version: 3.6.2
Version: 3.6.3
Release: 0
Summary: The GNU Transport Layer Security Library
License: LGPL-2.1-or-later AND GPL-3.0-or-later
@ -168,7 +168,7 @@ GnuTLS Wrappers for GNU Guile, a dialect of Scheme.
export LDFLAGS="-pie"
export CFLAGS="%{optflags} -fPIE"
export CXXFLAGS="%{optflags} -fPIE"
autoreconf -fiv
#autoreconf -fiv
%configure \
gl_cv_func_printf_directive_n=yes \
gl_cv_func_printf_infinite_long_double=yes \
@ -177,7 +177,7 @@ autoreconf -fiv
--disable-silent-rules \
--with-default-trust-store-dir=%{_localstatedir}/lib/ca-certificates/pem \
--with-sysroot=/%{?_sysroot} \
--with-guile-site-dir=no \
--with-guile-site-dir=%{_datadir}/guile \
%if %{without tpm}
--without-tpm \
%endif
@ -307,7 +307,7 @@ make %{?_smp_mflags} check || {
%if %{with guile}
%files guile
%{_libdir}/guile/*
%{_datadir}/guile/site/gnutls*
%{_datadir}/guile/gnutls*
%endif
%changelog